aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Niedermayer <michael@niedermayer.cc>2019-08-02 23:54:49 +0200
committerMichael Niedermayer <michael@niedermayer.cc>2020-07-01 12:11:55 +0200
commit70ec9a6f7ef3cdeac570497525e4d352d6ff31a5 (patch)
treebfc9753a2388fc1a761c44249e684650662fefc3
parentfbe4a2151809446e099110d98bc6506d10e83584 (diff)
downloadffmpeg-70ec9a6f7ef3cdeac570497525e4d352d6ff31a5.tar.gz
avcodec/hnm4video: Forward errors of decode_interframe_v4()
Fixes: Timeout (108sec -> 160ms) Fixes: 15570/clusterfuzz-testcase-minimized-ffmpeg_AV_CODEC_ID_HNM4_VIDEO_fuzzer-5085482213441536 Reviewed-by: Tomas Härdin <tjoppen@acc.umu.se> Found-by: continuous fuzzing process https://github.com/google/oss-fuzz/tree/master/projects/ffmpeg Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit 9af8ce754b705c36ad4d2b6fd0f73f87ca4381c4) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
-rw-r--r--libavcodec/hnm4video.c24
1 files changed, 14 insertions, 10 deletions
diff --git a/libavcodec/hnm4video.c b/libavcodec/hnm4video.c
index a64dbb1746..5ca7fb58cd 100644
--- a/libavcodec/hnm4video.c
+++ b/libavcodec/hnm4video.c
@@ -143,7 +143,7 @@ static void copy_processed_frame(AVCodecContext *avctx, AVFrame *frame)
}
}
-static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size)
+static int decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t size)
{
Hnm4VideoContext *hnm = avctx->priv_data;
GetByteContext gb;
@@ -162,7 +162,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
if (tag == 0) {
if (writeoffset + 2 > hnm->width * hnm->height) {
av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n");
- break;
+ return AVERROR_INVALIDDATA;
}
hnm->current[writeoffset++] = bytestream2_get_byte(&gb);
hnm->current[writeoffset++] = bytestream2_get_byte(&gb);
@@ -176,7 +176,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
count = bytestream2_get_byte(&gb) * 2;
if (writeoffset + count > hnm->width * hnm->height) {
av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n");
- break;
+ return AVERROR_INVALIDDATA;
}
while (count > 0) {
hnm->current[writeoffset++] = bytestream2_peek_byte(&gb);
@@ -188,7 +188,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
}
if (writeoffset > hnm->width * hnm->height) {
av_log(avctx, AV_LOG_ERROR, "writeoffset out of bounds\n");
- break;
+ return AVERROR_INVALIDDATA;
}
} else {
previous = bytestream2_peek_byte(&gb) & 0x20;
@@ -204,24 +204,25 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
if (!backward && offset + 2*count > hnm->width * hnm->height) {
av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
- break;
+ return AVERROR_INVALIDDATA;
} else if (backward && offset + 1 >= hnm->width * hnm->height) {
av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
- break;
+ return AVERROR_INVALIDDATA;
} else if (writeoffset + 2*count > hnm->width * hnm->height) {
av_log(avctx, AV_LOG_ERROR,
"Attempting to write out of bounds\n");
- break;
+ return AVERROR_INVALIDDATA;
+
}
if(backward) {
if (offset < (!!backline)*(2 * hnm->width - 1) + 2*(left-1)) {
av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
- break;
+ return AVERROR_INVALIDDATA;
}
} else {
if (offset < (!!backline)*(2 * hnm->width - 1)) {
av_log(avctx, AV_LOG_ERROR, "Attempting to read out of bounds\n");
- break;
+ return AVERROR_INVALIDDATA;
}
}
@@ -268,6 +269,7 @@ static void decode_interframe_v4(AVCodecContext *avctx, uint8_t *src, uint32_t s
}
}
}
+ return 0;
}
static void decode_interframe_v4a(AVCodecContext *avctx, uint8_t *src,
@@ -434,7 +436,9 @@ static int hnm_decode_frame(AVCodecContext *avctx, void *data,
decode_interframe_v4a(avctx, avpkt->data + 8, avpkt->size - 8);
memcpy(hnm->processed, hnm->current, hnm->width * hnm->height);
} else {
- decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8);
+ int ret = decode_interframe_v4(avctx, avpkt->data + 8, avpkt->size - 8);
+ if (ret < 0)
+ return ret;
postprocess_current_frame(avctx);
}
copy_processed_frame(avctx, frame);